Table of Contents

DCSync is a powerful tool in the hands of a red teamer and a nightmare for Blue teamers. For the blue teamer all is not lost. This type of attack may not be feasible to stop but it can be detected.

Abstract

Here I will show how you can quickly and easily get detections in place DCSync. I begging with a brief overview of DCSync and a
quick guide on how to use it to get credentials. I then cover how to detect this type of attack and why I chose the rout I did.
Finally I provide references for further review if more information is desired.

DCSync

Description

DCSync works by requesting account password data from a Domain Controller1. It can also ask Domain Controllers to replicate information using the Directory
Replication Service Remote Protocol2. All this can be done without running any code on a Domain Controller unlike some of the other ways Mimikatz extracts
password data. Whats even worse this attack takes advantage of a valid and necessary function of Active Directory, meaning it cannot be turned off or
disabled. This being said we must rely on detection.

Getting Credentials

I split this in to two parts local and remote. As the names suggest each of these sections will cover how to run DCSync depending on if you want to run it
locally or remote. To follow along all one needs is a Windows Active Directory Domain Controller. If running DCSync remotely a separate machine with Impacket
installed is needed.

Detection

For most people and environments Network Monitoring may not a realistic option leaving us with the Event ID. To detect DCSync with Event Id 4662 we want to
examine the value of the Properties field and see if it contains Replicating Directory Changes All, 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, 9923a32a-3607-11d2-b9be-0000f87a36b2, or 1131f6ac-9c07-11d1-f79f-00c04fc2dcd2 anywhere in it.

In the example above we can see the Properties value is %%7688 {1131f6ad-9c07-11d1-f79f-00c04fc2dcd2} {19195a5b-6da0-11d0-afd3-00c04fd930c9. This does contain one of the
strings we are looking for, 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, making this is a positive match.

Not all machines have logging turned on for example Windows server 2016 the GPO will need to be set for loging this event Id. This is done by opening the Local Group Policy
Editor and going to Computer configurations > Windows Settings > Security Settings > Local Policies > Audit Policy. Right clicking on Audit directory service access and then
click on Properties. Check the box for Success and click Apply.

Note

On my Windows 2016 server the GPO keeps getting turned off. Searching I did find two10, 5 posts where people
were having issues similar to the one I am experiencing. Though in these article there was no sufficient answers.